India has been a following a very fragmented approach towards data protection laws, with protection spread over a mixture of statutes, the most prominent of which being the Information Technology Amendment Act, 2008 which mainly deals with” sensitive personal information”.
In May 2018, we saw the implementation of the European Union’s General Data Protection Regulation (GDPR) in full force. To keep in line with the GDPR regulations, the Indian Government in December 2019 introduced the Data Protection Bill, 2019 (Bill) with the intention of creating the first comprehensive data protection legal framework in India.
This Bill gives more clout to protecting the personal data of citizens, prevents private players from misuse and puts restrictions on both Indian and foreign entities that process the personal data of Indian nationals. Prime examples of the companies that process personal data and information of a sensitive nature include social media entities like Facebook, Twitter, WhatsApp etc. With the introduction of the new Bill, multinationals in India are set to face the heat by the unique compliance challenges imposed viz. data privacy and security.
Key Features of the Bill
Up until now, multinational companies had free reign in using and manipulating the personal data of the Indian citizens who regularly availed their services. In many cases these companies transmitted data to other countries thus jeopardizing the privacy and security of both citizens and the country. Some of the key features of the Bill are modelled on the E.U.’s GDPR and provides more teeth to the protection of citizen’s rights, most notably:
- Notice and consent requirements for the processing of personal data;
- Limitations on the processing of personal data, only to be processed for the services as agreed by user;
- Data localization—critical personal data is to be stored on servers within India, and restrictions on the transfer of other personal data outside India; and
- Financial consequences for noncompliance in the form of penalties for instance, Sections 33 and 34 under the Bill can levy a penalty on the violators to the tune of 1.73 million Euros or 4% of the offender’s yearly worldwide turnover of the previous financial year.
What multinationals stand to lose in India if this GDPR like legislation is implemented?
In India, implementation of the new Bill could lead to increased compliance costs for multinationals and small-time businesses. Further, data localization requests of storing critical data on servers within India and the restriction on its transfer outside of India, may severely impact the global operations of these companies, as will prevent the multinationals from using the data for business purposes outside, thereby curtailing innovation and cross border transfers. As per the report by Carnegie Mellon, dated May 2019, in India, a loss of up to 0.8 percent of GDP is estimated should the country adopt a localization requirement. The study also estimates a reduction of up to 1.4 percent of domestic investments in India due to localization requirements.
Conclusion
The implementation of the Data Protection Bill into law in India will come with its own set of problems for multinationals viz. increased compliance cost, restrictions and administrative burdens and a negative impact on investments. However, this Bill is an important step towards the protection of citizen rights and their privacy which is a key principle enshrined in Article 21 of the Indian Constitution. The impact of this Bill on citizens and multinationals can only be finally determined once the Bill becomes law.
We at D’Andrea and Partners have a team of experts who are continually monitoring the changes in the Indian laws and regulations. Reach out to us on info@dandreapartners.com if you have any questions.